SECTION 404
The July Data
View The Actual Internal Control Disclosures From July
View Sample Disclosures Of Remediation Efforts From July
According to a review of regulatory filings during the month of July, 36 companies disclosed material weaknesses or significant deficiencies in internal controls, or provided material updates on the status of their control-improvement processes.
That number is down from 41 similar disclosures in June, and 51 in May.
Experts give differing opinions on the slight dip in disclosures. According to the most optimistic industry watchers, most of the “dirty laundry” has already been disclosed, and the number of internal control weakness disclosures may continue to decrease as we approach the effective date of Section 404 in December.
Others note that the Sarbanes-Oxley Section 404 disclosures haven't really "kicked in" yet, and that companies are still in the process of analyzing controls on which their auditor has yet to opine.
Wagner
"Most of the [internal control weakness] disclosures are not coming out of the 404 process, at least not yet," notes Steven Wagner, a partner at Deloitte and Touche who chairs the firm's Sarbanes-Oxley Internal Control Steering Committee.
According to Wagner, most of the existing disclosures are a byproduct of last year's audit. "Because of the [Sarbanes-Oxley Section] 302 rules, management has felt obligated to make those internal control disclosures public," he says. Wagner adds that most companies are still doing remediation work, and that the external auditor is not yet fully involved in the testing effort. "That will start to pick up shortly," says Wagner.
More Remediation
One trend that is clearly emerging as the SOX 404 deadline approaches is that more companies are providing greater detail on their remediation efforts.
Compliance Week identified this trend last month; however, the volume of internal control improvement disclosures in July was significant. In previous months, remediation disclosures were relatively brief or vague, generally referring to efforts inside the company without providing great detail. In July, however, several companies provided granular details on their control remediation efforts.
One of the most detailed examples came from $4 billion International Steel, which had identified an internal control weakness back in April. The company’s improvement disclosure describes how the company reviewed and replaced its accounting system, developed new systems and procedures with outside help, and initiated “in-depth reviews to determine the adequacy of the accounting organization,” as well as taking other steps.
This month, we've made available a separate table to illustrate how some companies have disclosed their control improvement and remediation efforts.
A More Common Risk Factor
More companies are also including internal control issues as a “risk factor” in the MD&A section of their periodic reports. In July, such disclosures typically noted that deficiencies or weaknesses could emerge, or that minor problems might at some point become reportable conditions.
$493.1 movie chain Carmike Cinemas, for example, noted “there can be no assurance that there may not be significant deficiencies or material weaknesses that would be required to be reported.”
Wireless firm MetroPCS Communications, which disclosed a weakness back in May, actually noted among its risk factors that its remediation efforts have not been entirely successful. “While these efforts represent significant steps in remediating the material weakness,” the company stated, “management believes, and our auditors have advised us ... that the material weakness still exists.”
The same was the case at $59.6 million satellite operator Motient Corp., which noted in its risk factors that, “We have not yet been able to fully execute all of the salutary procedures and actions we deem desirable to address our internal control deficiencies.”
Big Disclosures, Small Companies
As was the case with prior months, most of the disclosures came from companies with under $1 billion in revenue. Most, 43 percent, had under $100 million in revenue.
In July, 29 percent of the companies making disclosures had more than $1 billion in revenue. That number is up from June, when only 16 percent of the disclosures came from large companies; however, many of the largest companies were actually providing material updates to existing weaknesses, and were not making new disclosures. That was the case at International Steel, Goodyear Tire, and others.
As CW has noted in prior months, the large percentage of small companies disclosing weaknesses and deficiencies is typically due to the fact that their internal controls are less formal than at global organizations, where controls are typically more structured and formal.
MOST COMMON
Financial System Weaknesses
Problems with financial systems and procedures remain the most common types of weaknesses and deficiencies disclosed. In July, 47 percent of the disclosures were related to financial systems and procedures.
Typically, problems in this category are related to the financial close process, account reconciliation, or inventory processes. In addition, the problems tend to be similar regardless of company size.
$1.3 billion discount and variety retail store Fred’s Inc., for example, cited problems with the financial statement closing process and “procedures related to accounting for consideration received from vendors.”
$107.3 million specialty eater Cosi described errors in “account reconciliations and related analyses.”
At $24.8 million SYS, the problem was “certain deficiencies in the systems and processes used in the preparation of financial statements.” Ironically, the IT consulting firm also noted that some of its material weaknesses fall into the category of IT systems.
Not coincidentally, a recent survey by PricewaterhouseCoopers noted that the most frequently cited area requiring internal control remediation efforts was in this category of financial process improvements. According to the survey, 55 percent of respondents expected remediation efforts to focus on financial process improvements. Computer and security controls also ranked high on the PwC remediation priority survey.
As in prior months, Compliance Week aggregated multiple weaknesses of the same “type” into one entry. Crown Financial Group, for example, disclosed that it had weaknesses related to numbers issues that fall under CW’s “financial systems and procedures” category, including certain improper reconciliation, expense recognition, and “accounting associated with the consolidation and sale of a Company subsidiary.” For the purposes of our July internal control list, those problems at Crown Financial count as one entry.
Personnel-Related Issues
The second most common type of disclosures was related to personnel issues, totaling 30 percent of all disclosures in July. That’s identical to the percentage of personnel-related disclosures in June. In May, 33 percent were personnel-related, and in April the number was 26 percent.
Personnel-related issues are typically related to poor segregation of duties, inadequate staffing, or related training or supervision problems.
Several companies, including $318.1 million Omnivision Technologies, audio equipment maker Singing Machine, and $19.9 million construction and design services firm Calprop, noted weaknesses related to adequate staffing levels. $1 billion aerospace and defense company Aviall disclosed an “internal control failure related to a lack of segregation of duties” at an overseas subsidiary.”
Interestingly, personnel-related remediation efforts did not show up on the PwC survey mentioned above. "That's actually not surprising," notes Dan DiFilippo, PwC's U.S. leader for governance risk and compliance, because personnel issues are among the most difficult issues to track. According to DiFillipo “Making sure that people are properly trained, that they're ethical, that they know what do—that's the hardest part, and it gets shortchanged.”
Others Categories; Lack Of Details
Weaknesses related to documentation seem to be decreasing over time, which may be due to the fact that most companies are past the documentation stage of Section 404 compliance. In July, only 2 percent of disclosures cited weaknesses with documentation. That number is down from 5 percent in June, 9 percent in May, and 16 percent in April.
Problems with revenue recognition were cited in 9 percent of disclosures in July, which was flat with the 10 percent reported in June.
5 percent of companies cited weaknesses in IT systems in July. None reported similar issues in June.
Interestingly, 7 percent of companies disclosed a weakness without providing detail on the type of problem. $49.6 million electronic components maker Soyo Group was one of those companies. Soyo noted that its auditor, Grobstein, Horwath & Company, had identified significant deficiencies that “in the aggregate, constitute material weaknesses”; however, the company did not explain what the weakness was.
Other small companies, like $17.2 million Universal Security Instruments and $16.2 million Cumberland Technologies, also failed to provide details on the nature of control problems.
Exclusions
To avoid duplication, Compliance Week's July list does not include disclosures that had been made public in prior months, unless there was a significant and material update.
Sonus Networks, for example, disclosed a weakness in March, and Compliance Week included the company in its list of March disclosures. Though Sonus acknowledged on July 29 that it had “taken actions to strengthen our internal controls, processes and infrastructure,” the improvements were not specified and the update was not significant or material. As a result, it is not included in our July tally. The same was the case at Cotelligent, which noted it had “enhanced its internal control environment” to address deficiencies reported in May list, but provided no details on steps taken.
Dynacq Healthcare also provided details on its internal control problems and the company's remediation status; however, that information was not materially different than prior disclosures (including one in April when the company was delisted by Nasdaq). The same was the case at companies like CMS Energy, Pricesmart, Far East Energy, Lions Gate Entertainment and others.
Inclusions
We did, however, include in our July list companies that provided material updates to their controls or remediation efforts.
Symbol Technologies, for example, had already disclosed certain problems on April 1; however, the company identified an additional weakness since then. In addition, the company listed five steps Symbol has taken to improve the effectiveness of its internal controls.
Other companies, like oil and gas exploration firm Seitel, the Orthodontic Centers of America, and medical equipment company Sight Resource, provided updates on control remediation efforts, policy changes, and in some cases internal investigations.
The List
As usual, we’re including the complete list of disclosures below. Please note that Compliance Week does not publish this list to point an accusatory finger; rather, our goal is to provide information to subscribers that might be helpful in understanding how their peers are making such disclosures and are approaching remediation.
Also, be aware that the excerpts below are just that: excerpts. The complete SEC filings are available for those who would like to review the disclosures in greater detail.
Click Here For The List Of July Disclosures
No comments yet